Integrating Risk Management and Compliance into Integrated Financial Management Information Systems - PowerPoint PPT Presentation

1 / 41
About This Presentation

Integrating Risk Management and Compliance into Integrated Financial Management Information Systems


... 5 main professional accounting organizations in the ... The Institute of Management Accountants (IMA) ... Title I Public Company Accounting Oversight Board. ... – PowerPoint PPT presentation

Number of Views:950
Avg rating:3.0/5.0
Slides: 42
Provided by: PatrickS70


Transcript and Presenter's Notes

Title: Integrating Risk Management and Compliance into Integrated Financial Management Information Systems

Integrating Risk Management and Compliance into
Integrated Financial Management Information
Systems (IFMIS)
The Global Financial Environment
The Global Financial Environment
  • No successful economy or government can operate
    today without global interconnectivity
  • Markets and industries exist transparently across
    the globe, and conduct business 24 hours a day.
  • Growth of that connectivity has increased the
    demands for the availability and reliability of
    financial information
  • That information demand is fed by the growing use
    of automated Financial Management Systems, using
    integrated Information Technology (IT).

The New Financial Reporting Environment
  • As a result of the global economy, Financial
    Reporting must be relevant, timely, and
    comparable across jurisdictions
  • Company assets are considered more "intangible"
    and subject to inconsistent valuation
  • Company data is instantly accessible but not
    always sufficient to satisfy all stakeholders
  • Citizens
  • Shareholders
  • Regulators

The Result of their Analysis?
  • In the long term, Financial reporting will be
    standardized to provide adequate information to
    all interested parties
  • Global auditing standards will converge and
    harmonize to deliver reasonable assurance of the
    accuracy of financial reports
  • Adoption of new data standards to improve
    enforcement of controls and improve detection of
  • Financial systems must have adequate internal
    controls enabled for consistent transparency

Impact on Federal Managers
  • Governments are increasingly involved in global
    financial markets, not only as regulators but as
    investors and participants.
  • They must provide the highest quality financial
    information to a range of interested parties, in
    a multitude of formats, often with repetitive
    efforts and inefficient processes.
  • Government agencies are entrusted by their
    citizens to maintain sound financial practices,
    limit fraud and corruption, and provide adequate
    controls over financial reporting

Overview of Internal Controls
Internal Controls Defined
  • Internal control is broadly defined as a
    process, effected by an entity's board of
    directors, management, and other personnel, that
    is designed to provide reasonable assurance
    regarding the achievement of objectives in the
    following categories
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
  • Source - The Committee of Sponsoring
    Organizations of the Treadway Commission
    Internal Control Integrated Framework

Management has a fundamental responsibility to
develop and maintain effective internal control.
Background on Internal Controls
  • Internal control is a means of managing the risk
    associated with programs and operations

Internal controls organization, policies, and
procedures are tools to help program and
financial managers achieve results and safeguard
the integrity of their program
  • Committee of Sponsoring Organizations of the
    Treadway Commission (COSO)
  • US private-sector initiative created in 1985.
  • Its major objective is to identify the factors
    that cause fraudulent financial reporting and to
    make recommendations to reduce its incidence.
  • COSO is sponsored by 5 main professional
    accounting organizations in the US
  • American Institute of Certified Public
    Accountants (AICPA),
  • American Accounting Association (AAA),
  • Financial Executives Institute (FEI),
  • The Institute of Internal Auditors (IIA)
  • The Institute of Management Accountants (IMA).
  • COSO has established a common definition of
    internal controls, standards, and criteria
    against which companies and organizations can
    assess their control systems which is the basis
    for the SOX Internal Control framework.
  • Source

COSO Internal controls structure
Control Environment
  • Sets the tone of the organization influencing
    control consciousness of its people
  • Includes integrity, ethical values, competence,
    authority, and responsibility
  • Acts as foundation for all other components of

Risk Assessment
  • Identification and analysis of relevant risks to
    achieving the entity's objectives forming the
    basis for determining control activities

Control Activities
  • Policies and procedures assure management's
    directives are carried out
  • Range of activities, including approvals,
    authorizations, verifications, recommendations,
    performance reviews, asset security, and
    segregation of duties

Information and Communication
  • Pertinent information identified, captured, and
    communicated in a timely manner
  • Access to internally and externally generated
  • Flow of information that allows for successful
    control actions from instructions on
    responsibilities to summary of findings for
    management action

  • Assessment of a control system's performance over
  • Combination of ongoing and separate evaluation
  • Management and supervisory activities
  • Internal audit activities

Internal Controls Are Integrated into Processes
Global Trends in Internal Control mandates
U.S. Sarbanes-Oxley Act
  • The Public Company Accounting Oversight Act,
    otherwise known U.S. Sarbanes-Oxley Act of 2002
    or "SOX".
  • Composed of three sections
  • Title I Public Company Accounting Oversight
    Board. PCAOB formed as branch of Securities and
    Exchange Commission (SEC). Public Auditing firms
    must register with PCAOB and are now brought
    under the regulation of the PCAOB.
  • Title III Corporate Responsibility. Section 302
    establishes certification requirements for CEOs
    and CFOs of Annual and Quarterly reports filed
    with the SEC.
  • Title IV Enhanced Financial Disclosures.
    Section 404 (a) requires management to assess and
    report on internal controls, and Section 404 (b)
    requires the companys External Auditor to attest
    to and report on managements assertions on
    internal controls.

Canadian Bill 198
  • Published in 2003 by the Ontario Securities
    Commission and the Canadian Security
  • Consists of three statutes
  • Multilateral Instrument 52-108 Auditor Oversight
  • Multilateral Instrument 52-109 Certification of
    Disclosure in Companies' Annual and Interim
    Filings (CSOx)
  • Multilateral Instrument 52-110 Audit Committees
  • Multilateral Instrument 52-109 is basically
    Section 302 with an emphasis on Disclosure
    Controls and Procedures (DCP).
  • Implementation of Section 404 equivalent
    certification still pending

Japanese SOX (J-SOX)
  • February 15th, 2007 Business Accounting Council
    of the Financail Services Agency
  • "Implementation Standards for Evaluation and
    Auditing of Internal Controls over Financial
  • Requires all publicly-held companies to submit
    consolidated internal control reports on or after
    April 1, 2008
  • Reporting standards similar to sections 302 and
    404 under US SOX.

Evolution of Internal Controls in the US
Sarbanes Oxley 2002
Budget and Accounting Procedures Act of 1950
DHS Financial Accountability Act 2004
FMFIA 1982
IG Act 1978
FFMIA 1996
FISMA 2002
CFO Act 1990
OMB A-123 2004
OMB A-123 1995
OMB A-123 1981
OMB QA 1984
CFO Council Implementation Guide 2005
GAO Green Book 1999
GAO Green Book 1983
Other International Government Standards
  • INTOSAI Internal Control Standards
  • UK Government Internal Audit Good Practice Guide
  • Canada Government Internal Audit Policy
  • Institute of Internal Auditors (IIA) Code of
  • Canadian Government risk management framework

Integrated Financial Management Information
Systems (IFMIS)
Describing a Financial Management System
  • The term "financial management system" means an
    information system, comprised of one or more
    applications, that is used for any of the
  • Collecting, processing, maintaining,
    transmitting, and reporting data about financial
  • Supporting financial planning or budgeting
  • Accumulating and reporting cost information or
  • Supporting the preparation of financial
  • A financial system may include multiple
    applications that are integrated through a common
    database or are electronically interfaced, as
    necessary, to meet defined data and processing
  • Source Office of Management and Budget (OMB)
    Circular A-127

Information Technology (IT) and IFMIS
  • IFMIS systems are designed to automate financial
    process to aid transparency and accountability in
    public financial management
  • Modern Financial Management Systems are driven by
  • Key to driving adequate transparency and
    accountability is to enable systems with
    comprehensive internal controls framework
  • IT requires special considerations to properly
    implement and enforce Internal Controls

IT 's Potential Contribution to Internal Control
  • IT provides potential benefits of effectiveness
    and efficiency for an entitys internal control
    because it enables an entity to
  • Consistently apply predefined business rules and
    perform complex calculations in processing large
    volumes of transactions and data
  • Enhance the timeliness, availability, and
    accuracy of information
  • Facilitate the additional analysis of information
    from multiple sources on an as needed basis

IT's Potential Contribution to Internal Control
  • Enhance the ability to monitor the performance of
    the entitys activities, policies, and procedures
  • Reduce the risk that controls will be
  • Enhance the ability to achieve effective
    segregation of duties by implementing security
    controls in applications, databases, and
    operating systems

IT as a Source of Risk
  • Reliance on systems or programs that are
    inaccurately processing data, processing
    inaccurate data, or both
  • Unauthorized access to data that may result in
    destruction of data or misappropriation of assets
    through improper changes to data, including the
    recording of unauthorized or nonexistent
    transactions, or inaccurate recording of
  • Potential loss of data
  • Unauthorized changes to data in master files
  • Unauthorized changes to systems or programs
  • Failure to make necessary changes to systems or
  • Inappropriate manual intervention

  • Automation of Internal Controls and Risk

Why Automate the Controls Process?
  • Given the complexity of IT and financial
    reporting, automated controls software can
    potentially provide tremendous benefits to an
    internal controls program.
  • Automated solutions can detect, monitor, and
    report a wide range of control issues, risk
    areas, and performance indicators.
  • Software allows for business rules to be built
    into system to insure compliance with regulations
    and automate reporting processes.

Benefits of automation
  • Provides structure for the internal control
  • Improves monitoring of control deficiencies and
    corrective action plans at all levels of
    management within an organization
  • Provides a repository of documentation that can
    be made available to auditors and stakeholders
  • Enables senior management to gain awareness of
    areas that require process changes or additional

Discipline over internal control program
  • Software can help an organization maintain
    discipline over its internal control program by
    providing a framework for documenting and
    assessing controls, testing internal controls or
    controlling the workflow to ensure the controls
    are enforced
  • Software can make it easier to demonstrate your
    internal controls to your auditors and may lessen
    the amount of testing that needs to be performed
    by the auditors

Uses of automated internal control software
  • The types of software available in the market
  • Testing and Reporting
  • Document and records management
  • Business process modeling
  • Policy management
  • Risk management and risk assessment
  • Support for multiple control frameworks
  • Support for multiple regulations across multiple
    business units
  • Controls automation and monitoring

Repository software
  • Provides a central repository for the
    documentation of internal controls throughout the
  • Allows the documentation of workflow and key
    processes, control objectives, control activities
    and risks for each major function in the
  • May be set up as a web based tool that allows
    multiple users to input information
  • Allows the organization to centrally manage the
    documentation of internal controls and capture
    information about the results of testing
  • May come "out of the box" with standard templates
    for control objectives, control activities and

Testing software
  • Allows an organization to test the internal
    controls of a system by directly interfacing with
    the system
  • May test for segregation of duty and
    authorization violations
  • Allows organizations to identify where violations
    can or have occurred and make changes to business
    processes or roles as appropriate
  • May come "out of the box" with standard control
    objectives and control activities that can be
    modified as appropriate
  • May has a limited repository capability to
    document workflow

Business process management software
  • Allows an organization to design and dictate the
    workflow for a given process
  • Integral to the performance of the process
  • Allows for the documentation of the workflow
  • The workflow is performed outside of the primary
  • Helps ensure the workflow process is performed as
    designed by not allowing the process to continue
    until each step is performed
  • May include features such as email notification
    when a step has been completed
  • May have a limited capability for repository or
    to test transactions

Reporting capabilities
  • Capabilities may allow for management reports to
    provide a status on one or more of the following
  • Documentation or testing of controls
  • Potential violations that have been identified
  • Where a document is in the process
  • May also allow for customizable management
  • May be capable of personalized "dashboards" for
    each user that present a current status, a "to
    do" list and interactive reports with drilldown

Basic steps to implementing a software solution
  • Selection
  • Products should be selected based on the needs of
    a defined internal controls program
  • A requirements analysis should be performed to
    identify areas that the program can be improved,
    or further meet compliance goals
  • The analysis forms the basis for product
  • Implementation
  • Once a product is selected, an implementation
    plan should be developed
  • The plan incorporates the required steps to
    implement the solution and how the functions will
    be used in the corresponding areas of the
    internal control program

Basic steps to implementing a software solution
  • Utilization
  • Once the solution is fully implemented, the full
    functionality of the solution can be utilized
  • Key performance indicators (KPIs) should be
    established that measure how well the solution is
    improving risk management and compliance efforts.
  • Example KPIs include
  • Improved rate of fraud detection
  • Improved speed in reporting
  • Accuracy of reporting measures

  • The implementation, maintenance and reporting of
    Internal controls compliance and risk management
    is the way of the future for global financial
    management and accounting
  • Financial reporting will become increasingly
    demanding and require greater transparency and
    validity of financial information
  • Automated tools and processes can be of benefit
    in managing the increasing level of effort in
    meeting the demands for financial reporting,
    managing risk and providing reasonable assurance
    of internal controls and fraud detection.
Write a Comment
User Comments (0)